Samesite cookie but allow specific domain

Asked 24/11, 2020 at 11:38 Answered 1/9, 2023 at 8:43

google-chrome cookies setcookie samesite cross-site

I would like to secure my cookies using SameSite=strict. But is there a way to allow it to be accessed by few domains alone?

Beetner answered 24/11, 2020 at 11:38 Comment(2)

Starting a bounty - is it possible to restrict SameSite to a specific list of domains? If not, is this because the standard or browsers do not support it yet or because it doesn't make sense? – Sikora 9/12, 2022 at 0:44

I want this, but I don't think it can be done ☹️ – Shipyard 11/3, 2023 at 17:44

Take a look at the upcoming First Party Sets proposal from Google. This allows certain domains to be treated as if requests between them were same-site.

Note, however, that this is still in an early stage, is for now Google-specific and requires you to register the domains in a public repository.

Character answered 1/9, 2023 at 8:43 Comment(0)

Whitelisting strict referral domains would be a fantastic enhancement to cookie mgmt, but AFAIK this doesn't exist.

I am evaluating my own solution to set cookies to LAX and then implementing my own whitelist that permits specific referrers, if the referring/redirecting website is not on the whitelist to then delete all cookies and force user to the login page. This would momentarily list/present existing cookies, which could be captured, but would be useless because the page(s) that were redirected to would immediately delete the cookies because the referrer wasn't whitelisted.

Boring answered 28/7, 2023 at 3:15 Comment(0)

Recommended topics

Hot tags